As we can see, previously constructed file path is used as argument forphp function "require_once()". Sanitization against "../" works well inmost cases, but in case of underlying Windows operating system attackercan use backslashes and bypass such filtering with use of "..\".

As we can see, uploaded file extension is checked against allowedvalues, which prohibits from direct upload of php files and other interestingcontent. Attacker can upload images with php code inside, but it is useful onlywith additional LFI vulnerabilities.So question is, can we bypass file extension checks? How about null bytes?Little testing with php shows, that original filename, coming from $_FILES array,cannot contain null bytes. OK, that's understandable, php engine tries to be secure.But wait a minute ... how about "html_entity_decode" function, which is usedagainst original filename, coming from $_FILES array?Quick test shows, that using "�" or even "&#;" in original filename willbe transformed to null byte, which allows as bypass file extension checks.

So how to test this? I wrote little php script for proof of concept, below isfragment from specific POST request, which does the magic:

There is even easier way to exploit this vulnerability. We canwrite php script with contents "<?php phpinfo();?>" inside and withfilename "test.php&#;.jpg". We can use same html form for upload,as seen above and this time php file upload succeeds!

In previous vulnerability analysis we saw, that unauthorized upload vulnerabilityexists, but uploaded file is saved with random filename, which makes exploitationharder. As seen from source code snippet above, randomness in filename is causedby using "md5(rand())". In case of *nix platforms this means > 2 000 000 000possible filenames. But Windows platform is different. From php manual:

"If called without the optional min, max arguments rand() returns a pseudo-randominteger between 0 and getrandmax().Note: On some platforms (such as Windows), getrandmax() is only 32767."

So it appears, that on Windows platform there is only about 32768 possiblefilenames and therefore simple bruteforce can reveal valid path to uploaded file.

"Change your encryption key (PCI)Changing the encryption key will help increase security for your storeas a whole. By default the encryption key for processing orders is setto 12345. To change it to a unique series, in Admin go to System -> Settingsand click Edit for your store. Encryption Key can be found under the Server tab."

As we can see, it is very weak encryption scheme, which is vulnerableto Known Plaintext Attack. Default encryption key after OpenCart installationis "12345" and same key is used in multiple places in OpenCart functionality.One use of this encryption is obfuscation of uploaded file path:

As shown in previous analysis, attacker has the ability to upload files totarget system. In case of successful upload there is JSON-encoded string,which contains uploaded file path encrypted with same algorithm, asdiscussed. So here is known plaintext attack scenario for key retrieval:

Warning: Header may not contain more than a single header, new line detected. inC:\apache_www\opencart1521\system\engine\controller.php on line 29

As we can see, current php version is protected against HTTP header injections,but error message clearly shows, that HTTP Response Splitting Vulerabilityexists and is exploitable in case of older php versions.

Because HTTP header generation is done without any validation,attacker is able to use OpenCart installation for malicious redirectsto arbitrary websites. It means that OpenCart has Open Redirect Vulnerabilityas well :)

As described previously, using "md5(rand())" on Windows platform means,that there is only about 32768 different confirmation codes for adminpassword reset and therefore admin account takeover is possible by usingbruteforce attack.

Same problem as in previous case: using "md5(rand())" on Windows platform means,that there is only about 32768 different new passwords after customerpassword reset, therefore customer account takeover is possible by usingbruteforce attack.

Same problem as in previous cases: using "md5(rand())" on Windows platform means,that there is only about 32768 different new passwords after affiliatepassword reset, therefore affiliate account takeover is possible by usingbruteforce attack.

http://localhost/opencart1521/index.php?route=product/product&path[]Warning: explode() expects parameter 2 to be string, array given inC:\apache_www\opencart1521\catalog\controller\product\product.php on line 21

http://localhost/opencart1521/index.php?route=product/search&filter_name[]Warning: explode() expects parameter 2 to be string, array given inC:\apache_www\opencart1521\catalog\model\catalog\product.php on line 432

http://localhost/opencart1521/index.php?route=product/search&filter_tag[]Warning: explode() expects parameter 2 to be string, array given inC:\apache_www\opencart1521\catalog\model\catalog\product.php on line 454

http://localhost/opencart1521/admin/index.php?route=common/reset&code[]Warning: mysql_real_escape_string() expects parameter 1 to be string, array given inC:\apache_www\opencart1521\system\database\mysql.php on line 55